Posted
by
CmdrTaco
on Wednesday August 17, 2011 @10:24AM
from the i-see-what-you-did-there dept.

An anonymous reader writes "Researchers from UCSD have demonstrated how thermal imagery cameras can be used to
steal customers' PINs (PDF) when you withdraw cash from ATMs. Their paper, entitled 'Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks', (PDF) discovered that plastic PIN pads were the best for retaining heat signatures showing which numbers (and in which order) were used by bank customers. Fortunately the methodology does not appear to have been used by criminals yet, but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash."

Their paper, entitled 'Heat of the Moment: Characterizing the Efcacy of Thermal Camera-Based Attacks'...

Oh sure everybody wants to show how easy it is to steal everyone else's PIN but when you release a paper detailing how to do it with X-rays and guarantee the target develops cancer and dies within a month leaving their account ripe for unnoticed pilfering then you've "gone too far"!

Based on the relative costs(and sizes) of the existing visible-spectrum-camera-hidden-on-the-ATM technology and the available thermal imaging gear, I'm somewhat inclined to doubt any significant uptake.

Even if you go fleabaying, a thermal imaging system up to the task will easily be north of $1,000, and the cheap seats are often rather bulky and don't exactly sip power. If you go with something handheld, the fact that many of them look very much unlike normal digital cameras will make you stand out a goo

Not to mention anybody who has watched the news lately has seen that the threat at ATMs isn't some hacker nerd but a "Thug Life!"er sticking a gun in your ribs or bashing your head in with a rock and just taking the money after you have put in the pin.

And has anyone else noticed that for the "Thug Life!"ers there is no such thing as robbery? There is murder with a cash bonus. We had a typical "Thug life!"er robbery in the next town over a couple of months ago, the "Thug Life!"er walks into a nail salon, bl

Hmm, I knew there was a reason that I rested all of my fingers uniformly across the keypad, gently caressing their every ridge and facet as I discreetly pumped out my digits into their PIN pad. Well, another reason, at least.

Also I try to think about a completely different song than the one that corresponds to the letters that correspond to the numbers of my PIN, just to thwart any brainwave phreaking attacks as well.

But still hoping we score some decent security measures out of this, like maybe a bank-issued gold card or something.

Makes sense. Even though I cover my typing hand with my other hand, I always add a few more fake keypresses so that any camera can't make a rough guess, judging by the quadrant of the image showing slight movement, which key was actually pressed. So now I have to do this for infra red coverage also. Great.

I picked up this habit after working in a classified area with a cipher lock.After I'd enter the cipher, I'd swipe my fingers over all the buttons to make it harder for a potential bad guy to analyze the wear/fingerprint patterns on the lock.

It looks likely you were mostly joking (so, that makes me feel equally bad about admitting this).But, when putting in my PIN, I typically rest several fingers on different numbers, move my hand around, and punch my PIN in that way, obscuring what I'm doing (not the typical one finger, one press approach).

For me, it was about making it tough for someone with a video camera set up to watch the ATM to figure out what my PIN is based on finger movement alone.

I suppose to that end, would getting the heat signature really be that superior to having a video camera set up with a telephoto lens?And if we were ever worried about heat signature, wouldn't simply wearing gloves defeat this "potential attack?"

Seems someone has figured out a complex way of collecting PINs.

Why not set up a loop of wire and, based on the different lengths of connection between electricity that flows from pressed keys to the processor, infer which key is pressed?

Right... it would cost more in time, money, and effort than one could make simply waiting for someone to walk up and rob with a gun.

But, when putting in my PIN, I typically rest several fingers on different numbers, move my hand around, and punch my PIN in that way, obscuring what I'm doing (not the typical one finger, one press approach).

I do it too -- I start at the top row, one finger per button, and then slide my hand down the keypad making contact with every button but only putting pressure on the one button that needs pushing. I repeat the process for each digit but make sure to slide my hand across the entire keypad each time. It didn't take much practice to get good at it, it still takes a little bit longer than just punching the numbers in directly, but not enough to matter.

Right... it would cost more in time, money, and effort than one could make simply waiting for someone to walk up and rob with a gun.

Never forget that any sort of ATM attack is anonymous and impersonal, whereas holding up someone with a gun means you personally are standing there in front of someone with a gun in your hand.

What the Internet has proven beyond a shadow of a doubt is that ordinary people who wouldn't think of shoplifting will go to incredible lengths to steal stuff on the Internet where they are anonymous and the action is impersonal. Someone who would never break into a house in person will break into a computer with impu

Seems like a risky thing to do. If you use a cloned card in a shop you will probably be on CCTV. If you use it on the internet then I suppose you can pay for some services (hiding behind a proxy or Tor) but any physical goods need to be delivered to an address. Most people don't have an address they can use to receive their ill-gotten gains.

What about all the other number keys you end up pressing when you define how much money you're depositing or withdrawing?

All this is making the simple task of stealing so complicated. Gypsy kids just hang around the ATM, wait for the withdraw screen to show up, run in, quickly press the auto denomination of the highest value and wait for the money to start spitting out before they grab and dash. Thermal cameras have got nothing on those kids.

I visited a company that had keypads on the doors. These pads would randomly arrange the digits with LEDs in the keys every time. It was a bit harder to find the keys you needed because they were always in a different place, but even if someone watched from the side they had a very narrow field of view, and this silly thermal approach wouldn't work either because the numbers went away after the door opened - you might know which keys they pressed, but not which digits.

After looking at the pictures of scanners in this ( Consumerist Security Briefing from Gawker [gawker.com]) I don't think I could tell even if someone put 4 ATM machines in front of me and told me one of them had a skimmer, pick it out. These things fit so perfectly over the card reader it seems near impossible to tell without pulling out a knife and seeing if you can get anything to pop off, and I don't think that'd make most places happy.

Am I alone in not using ATMs? I prolly wouldn't know if a skimmer had been installed because I almost never visit ATMs. I mean, in any given year I can count on one hand the number of ATM withfrawals and checks written on one, maybe two hands. I stopped carrying cash years ago and if I truly need some, most of the time a POS cashout is closer than the bank, and doesn't charge a fee.

To be fair, I *do* use the ATM whenever I need to deposit checks, which is rarely enough. All that said, if I saw mysteriou

Except you already had your wallet out anyway to get to your cash card. And now your card is in the machine and you probably have no cash in it if you're at the ATM, so now they've got a wallet with things the average thief can't make use of, except maybe a condom or two. And given that this guy is posting on/. that condom has probably been there for 5+ years and is no longer effective. In nine months justice will be served. Take that, thief!

When I'm typing in my PIN I do a fancy jig with my fingers, and I use my fingernails - admittedly to avoid getting the ick from the ATM on my fingers - but that should help keep the thermal signatures down as well.

You joke, but there is a scene in American Treasure II where they fingerprint a keyboard and deduce the password using letters hit and a dictionary attack. One shift or caps-lock key use and it blows the solution space exponentially high.

I am waiting for ATMs to have NFC support. That way, my card and/or phone is needed so that I don't have to even touch that machine.

Reminds me of the apocryphal story of the D&D munchkin running a dwarven thief whose dungeon lockpicking strategy is to piss in the lock and then come back in a year or two after the mechanism had corroded...

this is an even better reason we need secure NFC transactions (with your mobile) asap. it's absurd to be typing a by-definition-weak password into an unauditable terminal. why hasn't some bank hasn't noticed that at least early adopters would pay for the privilege of paying securely?

then again, if banks simply secured their terminals, much of the hacked-ATM problem would disappear. yes, toilet-like stalls for each ATM...

Near field communication is only as secure as the size and sensitivity of the nearest antenna.Just because your mobile phone has a weak antenna doesn't mean a malicious actor has to limit himself.

Yes, screw NFC - we would be a lot better off with 2D barcodes [wikimedia.org] displayed on the phone and a camera on the POS terminal. If you need 2-way communication (which I doubt is really necessary) then just use the camera on the phone and a small (e-ink?) display on the POS terminal. Bonus in that no new tech on the consumer end is needed, every smart phone currently on the market has all you need to pull it off.

True, but accepting card payments is far more risky than simply buying stuff on a stolen card. To get any return you have to provide a bank account for them to pay the money into, and an address to send billing information to.

People have tried this sort of thing in the past with premium rate phone lines. They stole mobile and then set up a rig to dial their premium rate number over and over again. Naturally they were caught pretty quickly once the phone company started getting complaints.

Because it's a password, and last I checked, banks do not take responsibility for transactions that involved the PIN. They consider it the consumer's responsibility to maintain the secrecy of their PIN, regardless of it's weakness. As a result, the banks have relatively little exposure to PIN based attacks, and therefore have little incentive to spend any money making it more secure.

This is partly why even though my credit card has a chip, it does not have a PIN. The other reason is my issuing bank didn't have the infrastructure set up to handle CC PINs when they started shipping chipped replacement cards out, but considering at least one guy's already been denied a disputed charge because his CC company claims the system is secure and it MUST have been him entering the PIN, I'll just keep signing my CC-paid bills for as long as I can.

it's absurd to be typing a by-definition-weak password into an unauditable terminal.

A hacked terminal isn't enough to break card security, obviously, the whole point is that you need both the card and the PIN. Merely having the PIN isn't enough. Modern cards can't be cloned unless you live somewhere still in the stone age, like the USA;)

Isn't it cheaper to simply mug the ATM user after they are done and take cash while out of sight of the ATM machine's own camera? You'd have to do that anyway to get the card from them. Why get all technical?

1) You're limited to the 20$ the tightwad took out.2) You would have to be able to mug them over and over again until caught3) Likely the charge is less if you don't actually have to threaten anyone with a knife or gun.4) You just need the number not the card, but even if you do need it, you can secretly steal it, make a copy and even return it.5) Its way cooler.

As I cover my hand to hide the numbers I always touch more than the four digits whenever I input my PIN as I center my hand on the keypad. Most of the time I also fake pressing some digits by keeping my finger onto them. I never thought of the thermal way to recover PIN numbers but I think I am safe.

Well now that we have your PIN we can just knock you over the head and take your card. Before we had to kidnap and torture you to get you to reveal the PIN. This is so much easier. Who says that technology isn't improving our lives?

Because shortly you will not be the only one with the card. As others mentioned there is a skimmer attached somewhere on the ATM. This reads the data contained on the magnetic stripe of your card and records. It may transmit this data via bluteooth to a local attacker, or store it locally. Skimmers usually can contain anywhere from 7-10,000 cards on them roughly.

Once this is accomplished the attacker will then either sell the data online, or begin creating his own fake credit cards. This process involves pu

I'd never heard of this method of attack until now. But it might explain why some of my bank's ATMs seem to have a high volume of cooling air blasting through any cracks and openings in the machine. Metal keys as well.

There was an article in a recent electronics magazine about building a code entry keypad that scrambles the digit positions between each entry attempt. This would make filming the keyboard difficult if one were to make the digit displays hard to see other than straight on. It would cause prob

Yes, these keypads have been in use for at least 10 years. You press a button to activate the keypad, and it randomly places the digits onto the pad so they're in a different place each time. After you successfully enter your code all of the numbers disappear. It certainly makes it slower to enter your PIN, but it also makes it impossible to surreptitiously determine your PIN.

It also makes it impossible for blind people to enter the PIN, so probably violates Disability Discrimination legislation. Keypads usually have a dimple on the No 5 button, and a blind person can figure out where the other buttons are from that.

Take a page from the iPhone's touchscreen accessibility mode. When you move a finger over an element, it reads it out. Obviously you don't want it read aloud so others can hear, but this would be a good use of most of my bank's ATMs audio-out jack.

Okay yes, then the criminals hack or replace the audio jack with their own. I assume Disability Discrimination laws don't allow fully-abled people to use features disabled ones can't (translation: blind people must be able to access new, more secure features, othe

Is it just me, or does anyone else tire over stories of ATM skimming/tampering? I guess my main point here is who the hell still uses an ATM anymore?

It's probably been at least 6 months since I've stepped in front of one. I can withdraw up to $100 at just about any store I go into when I use my debit card(multiple times a day too), and since there seems to be a rather large void of evidence regarding tampering of debit terminals inside stores and banks, the most obvious solution seems to be the answer her

I think your experience is probably in the US? Being able to get cash back from the store is not unheard of in other countries, but it's a lot less common than in the US. Also card payments are less common in other countries, usually cash is preferred. (On average it's a lot quicker, plus many people prefer not to leave a record of every little purchase they make.)

As for withdrawal fees - my German bank (DKB) lets me withdraw money anywhere in the world using my visa card, and they swallow the withdrawal

These cards with 'security chips' are a much greater risk. After entering your PIN, you must wait with the card sticking halfway out of the terminal pad while the transaction proceeds, during which time nobody guards their card. Who needs a heat camera when you can just peep over at someone entering their pin in the grocery line, snag their neatly exposed card, and drain their account at the nearest ATM? You can even yank it before the transaction completes to leave more money in the account! It's one t

When I saw this done on Max Headroom, I was skeptical that it could work. Not because a regular news camera had an "infra-red" mode, I expected that could happen (and some do, just not enough to be heat sensitive yet), but I thought the keys would cool down too fast. Good to know how scientifically accurate a show about a simulated human infecting the world's computer networks was.

"but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash"

Yeah, I get it, some of you are typical Internet paranoid freaks who do this, but 99% of people don't. Why? I've never heard of anyone having their pin stolen. Ever. I've never known anyone who had money stolen from a bank account. We know the vast majority of cases of this are identity theft (which isn't pin theft). If someone did steal my PIN, they'd also need my wallet. My wallet was only stolen

If i see someone hunched over the ATM i just finished using, with this thermal camera, guess what I will be doing....smashing that camera to pieces in front of him.....

Seriously though, I think whether you dust for prints or heat or etc..... there is always a way to find the pin, which is why i subscribe to the new sms identification method gmail/facebook/hotmail uses, they should use that for banks and for credit cards

I typically type two of the four numbers with the back of my fingernails. It won't help videocameras unless I would try to obfuscate it further, but for any type of fingerprinting, thermal, oil, or other attempts to duplicate my PIN that I've seen on Hollywood movies or CSI, it's hard enough to figure out that the imaginary criminal would probably just jack the next guy instead. Plus it gives my wife something to make fun of if she ever catches it.

After you are finished with the ATM just press all the buttons on the keypad in random order leaving your finger on each key for a long hard press to really soak up your body heat. Kinda like scrambling the combination on a lock.